The Texas attorney general and the FBI are reviewing a breach in Internet security at the state comptroller's office that exposed the personal information, including Social Security numbers, of 3.5 million Texans for more than a year.

State Comptroller Susan Combs announced Monday that a routine screening of computer files discovered the information was left on an agency server accessible to the public because of mistakes made at her agency and three others.

"I deeply regret the exposure of the personal information that occurred and am angry that it happened," Combs said. "I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location. We take information security very seriously, and this type of exposure will not happen again."

Combs' office will begin sending letters on Wednesday to inform affected Texans of the breach, which included their names, addresses, Social Security numbers and, in some cases, dates of birth and driver's license numbers. She emphasized that her office has no indication the exposed data had been accessed or misused in any way.

Jerry Strickland, spokesman for Attorney General Greg Abbott's office, said forensic experts in the cybercrimes unit will be working with the FBI "to determine access points" of the computer files.

The blunder occurred as the comptroller's office was attempting to return unclaimed cash and other abandoned assets to its rightful owners. In that endeavor, the agency asked the Teacher Retirement System (TRS), the Employee Retirement System (ERS) and the Texas Workforce Commission (TWC) for information on individuals in their computer systems. That effort was a success: 78,842 individuals were invited to claim $41.5 million in property, comptroller spokesman Allen Spelce said.

According to Spelce, state agencies are supposed to encrypt sensitive information before transferring files, but that procedure was not followed. Compounding the error, the comptroller's office failed to follow its own internal policies for purging such files on a weekly basis.

"We found it out during a security scan of some folders. We had procedures in place, but unfortunately, due to human error, they weren't followed," Spelce said. "The people responsible for this lapse are no longer with the agency."

He declined to say how many employees were involved.

Mary Jane Wardlow, a spokeswoman for the ERS, said her agency sent the data in "the secure format prescribed" in a 2009 interagency contract.

Howard Goldman, a spokesman for the TRS, also said his agency "transmitted the data in question in a secure manner through Secure File Transfer Protocol, and its receipt was acknowledged shortly afterwards by the Comptroller's Office."

Officials at ERS, TRS and TWC first learned of the security breach when they were summoned to Combs' office early Monday for a briefing.

Spelce acknowledged that Combs' office first learned of the problem at 5:15 p.m. on March 31 when attempting to locate the source of spam received by a vendor. A search of all transferred files was begun April 1. The office spent the weekend removing and securing the data in another location, he said.

TXsafeguard.org

On the following Monday, the comptroller's office began an internal investigation to determine the cause and extent of the problem. The attorney general's office joined the probe April 6.

Spelce said the comptroller's office spent the past weekend establishing a website, TXsafeguard.org, that outlines procedures for affected Texans to follow if they are notified their information was compromised. Those affected are urged to contact national credit bureaus and closely monitor "financial profiles for signs of theft and other misuse." Beginning today, the public also can call a special number established by Combs' office, 855-474-2065, to seek further assistance.

The vulnerable data included TRS information on 1.2 million education employees and retirees, the TWC records of 2 million individuals and the ERS information on 281,000 state employees and retirees.

Combs has endorsed legislation enhancing information security, including a pro- posal that each agency designate a chief privacy officer and another to create a state Information Security Council.